Apr 26, 2021

Internal Controls to Prevent Fraud: The Basics Still Matter

William EbersoleBy William E. Ebersole, CPA, JD

Suppose you learned that a coworker had just been identified as stealing from the company over the course of several years. The feelings of betrayal, concern, and uncertainty would be substantial; I know they were for me. Prior to embarking on my 26-year career in the criminal justice system, I worked in a financial institution. There, a coworker got caught embezzling by an internal audit after attempting to circumvent a series of internal controls. Fortunately, the crime was caught early and the internal guardians kept losses to a minimum.

During my time with the Federal Bureau of Investigation (FBI), I noted that quite a few organizations that were victimized by a fraudster or embezzler had previously invested substantial time and money developing an excellent system of internal controls. It seemed their exposure occurred when critical controls were relaxed, either for convenience or to prevent an awkward situation with a subordinate who, after all, would “never do anything to harm the company.” Famous last words.

Man holding money behind his back, crossing fingers in a lie.A particular embezzlement I investigated comes to mind. A federally insured financial institution advised me that it had recently updated its systems and processes but noted that several hundred thousand dollars were identified as missing. In particular, one account just would not balance with the new records system.

The primary suspect was a long-term, beloved employee who had sole authority over a critical financial account. This was an unfortunate mistake that should have been addressed long before the embezzlement. The worker was known for buying lavish gifts for other employees to celebrate milestone events, such as weddings, graduations, and retirements. Further, the worker took frequent trips which, in and of themselves, would have greatly exceeded the worker’s publicly available salary range.

After our investigation, we identified the offender’s method of operation as a simple skimming technique, i.e., taking a small amount of funds from otherwise legitimate transactions. Over the course of 20 years, the skimming added up to hundreds of thousands of dollars and also inflicted substantial brand damage with customers, insurance companies, and government regulators. The financial institution had numerous internal control measures in place to stop this type of criminal activity, however, none of the measures were followed – an internal control failure on the level of a perfect storm. Had at least some of these measures been enforced, a tremendous financial loss and upsetting event for all employees could have been mitigated or avoided all together.

All business entities should implement and adhere to some basic internal control procedures. Separation of responsibility, for one, is critical. Never allow one person to have custody of an asset along with record keeping and authorization responsibilities. Further, for employees with key responsibilities, consider implementing and enforcing a policy that mandates these critical employees to cross-train at least one co-worker in their responsibilities. Follow-up this policy with a mandatory 40-hour vacation so the newly trained co-worker can practice their skills and potentially come across any errors or irregularities committed by the key employee.

In addition, pay attention to employees who show up for work outside normal hours, such as late at night, on weekends, or on a recognized holiday. At first glance, this may be the sign of a diligent employee. However, individuals who need office-based resources to facilitate their fraud, such as a company computer located in the office, may commit criminal acts at odd hours when the chances of management walking in on the illegal activity are greatly reduced. A little professional skepticism goes a long way.

Implement and enforce a transaction approval policy. If external auditors determine that transactions exceeding $1,000 are material, set your policy to require an independent review of every transaction over $750 as a start. Monitoring via internal control should be implemented to ensure that the policy is routinely followed and that $750 is an appropriate threshold. Any employee who is identified as violating this policy should be evaluated further by company leadership.

Also, ensure that internal control measures that require monthly review of transaction appropriateness and proper approval are actually conducted. By all means, run the numbers yourself and use this opportunity to explain to the employee that internal control measures are meant to protect the company and all of the employees. Honest, conscientious employees should use this opportunity to demonstrate their hard work and honest efforts.

Finally, research by the Association of Certified Fraud Examiners and my own personal experience shows that individuals consistently living well beyond their means are potentially involved in criminal activity. Although not part of the traditional activities for internal or external auditors, conducing a commonsense analysis of an employee’s lifestyle can help reduce the threat to the employing organization. What lies beneath a coworker’s lavish lifestyle may be nefarious activity that threatens an otherwise thriving company.

William E. Ebersole, CPA, JD, is security compliance/emergency manager for Disney Cruise Line in Celebration, Fla. He can be reached at spykids1229@brighthouse.com.

Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.

Leave a comment

Follow @PaCPAs on Twitter
Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of PICPA officers or members. The information contained in herein does not constitute accounting, legal, or professional advice. For professional advice, please engage or consult a qualified professional.